Aqua Trivy is a simple and comprehensive scanner to detect vulnerabilities in container images, file systems, and Git repositories. It can also help in identifying configuration-related issues. In addition, Trivy scans infrastructure as code (IaC) files such as Terraform, Dockerfile and Kubernetes YAML to detect potential configuration issues that expose your deployments to the risk of attack.
Aqua Starboard is a scanner tool which integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard CLI is a single executable binary which can be used to find risks, such as vulnerabilities or insecure pod descriptors, in Kubernetes workloads. By default, the risk assessment reports are stored as custom resources.
Trivy and Starboard for scanning GitLab on IBM Power
Trivy and Starboard have gained a lot of popularity as DevOps vulnerability scanning tools. Many users are interested in using its functionalities on IBM Power, which leads to the need for these tools on Power. Also, GitLab has announced Aqua Trivy and Starboard as their default scanner tools to provide DevOps container security to their customers. You can read more about it in the case study – GitLab Uses Aqua Trivy to Provide Customers with Default DevSecOps Container Security.
Aqua Trivy is officially supported on IBM Power, whereas, Aqua Starboard does not have official support for ppc64le architecture. This tutorial aims at helping users interested in using these scanning tools on IBM Power Architecture for testing GitLab workloads.
Make sure that the following prerequisites are fulfilled for installing Trivy and Starboard on Power:
A stand-alone virtual machine (VM) to build and install Trivy
The example in this tutorial uses a ppc64le CentOS 8.2 VM. You can use IBM Power Systems Virtual Server service at IBM Cloud or Minicloud to get your ppc64le virtual machine.
A ppc64le Red Hat OpenShift Container Platform cluster for building and installing Starboard
You can deploy a Red Hat OpenShift cluster on IBM Power Virtual Servers using the steps in the Installing Red Hat OpenShift Container Platform 4.x on IBM Power Systems Virtual Servers tutorial.
Install Docker and other dependencies on the Power VM.
wget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-rootless-extras-20.10.2-3.el8.ppc64le.rpm wget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-20.10.2-3.el8.ppc64le.rpmwget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-cli-20.10.2-3.el8.ppc64le.rpm wget https://download.docker.com/linux/centos/8/ppc64le/test/Packages/containerd.io-1.4.9-3.1.el8.ppc64le.rpm yum localinstall docker-ce-rootless-extras-20.10.2-3.el8.ppc64le.rpm docker-ce-cli-20.10.2-3.el8.ppc64le.rpm docker-ce-20.10.2-3.el8.ppc64le.rpm containerd.io-1.4.9-3.1.el8.ppc64le.rpm service docker start yum install libseccomp -y
Install the Go runtime on the Power VM and the Power cluster.
git clone https://github.com/rpsene/goconfig.git cd ./goconfig source ./go.sh install
It takes around 30 minutes to install Trivy and Starboard for scanning GitLab workloads and artifacts.
- Build and install Trivy
- Scan GitLab artifacts using Trivy
- Build Starboard on the Power cluster
- Scan GitLab workloads on the Power cluster
1. Build and install Trivy
Run the following commands to build a Trivy image on ppc64le architecture:
git clone https://github.com/aquasecurity/trivy.git cd trivy docker build -t quay.io/snehakpersistent/trivy:ppc64le .
This image can be used when you want to use Trivy in a containerized environment. In this tutorial, we will be using it for building Starboard in the next section. This image is available on the quay repository.
Aqua Trivy is easy to use. Just install the binary file and you’re ready to scan. Run the following command to install Trivy on Power:
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.19.2/trivy_0.19.2_Linux-PPC64LE.rpm
2. Scan GitLab artifacts using Trivy
It can scan the following artifact types:
Let’s begin using Trivy to detect vulnerabilities and misconfigurations in GitLab runner operator on Power.
Example commands for detecting vulnerabilities are as follows:
//Container Image trivy image registry.gitlab.com/skanekar1/gitlab-runner-operator/gitlab-runner-operator:linux-ppc64le-v0.0.1-259402c6 //Filesystem trivy fs /root/gitlab-runner-operator //Git repository trivy repo https://gitlab.com/skanekar1/gitlab-runner-operator
Example commands for detecting misconfigurations in the IaC files are as follows:
//Dockerfile trivy config --severity HIGH /root/gitlab-runner-operator/ci //Yaml or Terraform trivy config gitlab-runner-operator/config/manager/
3. Build Starboard on the Power cluster
Starboard can be run in two different modes: Starboard CLI and Starboard Operator. In this tutorial, we focus on the Starboard CLI. Run the following commands to build the Starboard binary file for ppc64le architecture. Internally, it is using the Trivy image for Power that we built in the Build and install Trivy section.
git clone https://github.com/snehakpersistent/starboard.git git checkout ppc-support cd starboard/ make cp bin/starboard /usr/local/bin/
4. Scan GitLab workloads on the Power cluster
The easiest way to get started with
Starboard is to use an imperative starboard command, which allows ad hoc scanning of Kubernetes workloads deployed in your cluster.
To begin with, run the following one-time setup command:
init subcommand creates the Starboard namespace, in which Starboard runs Kubernetes jobs to perform scans. It also sends custom security resource definitions to the Kubernetes API.
Let’s begin with scanning the GitLab Runner operator workloads. Run the vulnerability scanner to generate vulnerability reports.
starboard scan vulnerabilityreports deployment.apps/gitlab-runner-runner
Behind the scenes, by default, above command uses Trivy in the stand-alone mode to identify vulnerabilities in the container images associated with the specified deployment. After this is done, you can retrieve the latest vulnerability reports for this workload using the following command:
starboard get vulnerabilities deployment.apps/gitlab-runner-runner -o yaml
Similarly, you can audit Kubernetes configuration of your GitLab workload using the following commands:
starboard scan configauditreports pod/gitlab-runner-runner-7dcd8cc584-rxvwx starboard get configaudit pod/gitlab-runner-runner-7dcd8cc584-rxvwx -o yaml
This tutorial explained how to install Aqua Trivy and Starboard on IBM Power for scanning GitLab workloads and artifacts. This information can enable users interested in using the functionalities of scanning tools on IBM Power systems.